!34 Package upgrade

From: @houyingchao 
Reviewed-by: @ruebb 
Signed-off-by: @ruebb

0003-remove-pytest-relaxed-dep.patch

@@ -1,14 +1,23 @@
-From 953d9a1f1055de97e35c7060fcebc7283eff9e29 Mon Sep 17 00:00:00 2001
-From: zhaorenhai <zhaorenhai@hotmail.com>
-Date: Fri, 29 Jan 2021 06:48:10 +0000
-Subject: [PATCH] drop pytest-relaxed
-
----
- tests/test_client.py | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/tests/test_client.py b/tests/test_client.py
-index 60ad310c..2d665cdd 100644
+--- a/dev-requirements.txt
++++ b/dev-requirements.txt
+@@ -2,7 +2,6 @@
+ invoke==1.6.0
+ invocations==2.6.0
+ pytest==4.4.2
+-pytest-relaxed==1.1.5
+ # pytest-xdist for test dir watching and the inv guard task
+ pytest-xdist==1.28.0
+ mock==2.0.0
+--- a/pytest.ini
++++ b/pytest.ini
+@@ -1,7 +1,4 @@
+ [pytest]
+-# We use pytest-relaxed just for its utils at the moment, so disable it at the
+-# plugin level until we adapt test organization to really use it.
+-addopts = -p no:relaxed
+ # Loop on failure
+ looponfailroots = tests paramiko
+ # Ignore some warnings we cannot easily handle.
 --- a/tests/test_client.py
 +++ b/tests/test_client.py
 @@ -33,7 +33,7 @@ import warnings
@@ -16,47 +25,44 @@ index 60ad310c..2d665cdd 100644
  from tempfile import mkstemp
  
 -from pytest_relaxed import raises
-+from pytest import raises
++import pytest
  from mock import patch, Mock
  
  import paramiko
-@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest):
+@@ -733,11 +733,11 @@ class PasswordPassphraseTests(ClientTest
  
      # TODO: more granular exception pending #387; should be signaling "no auth
      # methods available" because no key and no password
 -    @raises(SSHException)
+     @requires_sha1_signing
      def test_passphrase_kwarg_not_used_for_password_auth(self):
 -        # Using the "right" password in the "wrong" field shouldn't work.
 -        self._test_connection(passphrase="pygmalion")
-+        with raises(SSHException):
++        with pytest.raises(SSHException):
 +            # Using the "right" password in the "wrong" field shouldn't work.
-+            self._test_connection(passphrase='pygmalion')
++            self._test_connection(passphrase="pygmalion")
  
+     @requires_sha1_signing
      def test_passphrase_kwarg_used_for_key_passphrase(self):
-         # Straightforward again, with new passphrase kwarg.
-@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest):
+@@ -757,15 +757,15 @@ class PasswordPassphraseTests(ClientTest
              password="television",
          )
  
 -    @raises(AuthenticationException)  # TODO: more granular
+     @requires_sha1_signing
      def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
          self
      ):
--        # Sanity: if we're given both fields, the password field is NOT used as
--        # a passphrase.
+         # Sanity: if we're given both fields, the password field is NOT used as
+         # a passphrase.
 -        self._test_connection(
 -            key_filename=_support("test_rsa_password.key"),
 -            password="television",
 -            passphrase="wat? lol no",
 -        )
-+        with raises(AuthenticationException): # TODO: more granular
-+            # Sanity: if we're given both fields, the password field is NOT used as
-+            # a passphrase.
++        with pytest.raises(AuthenticationException):
 +            self._test_connection(
-+                key_filename=_support('test_rsa_password.key'),
-+                password='television',
-+                passphrase='wat? lol no',
++                key_filename=_support("test_rsa_password.key"),
++                password="television",
++                passphrase="wat? lol no",
 +            )
--- 
-2.27.0
-

backport-CVE-2022-24302.patch

@@ -1,150 +0,0 @@
-From 4c491e299c9b800358b16fa4886d8d94f45abe2e Mon Sep 17 00:00:00 2001
-From: Jeff Forcier <jeff@bitprophet.org>
-Date: Fri, 25 Feb 2022 14:50:42 -0500
-Subject: [PATCH] Fix CVE re: PKey.write_private_key chmod race
-
-CVE-2022-24302 (see changelog for link)
-
-Conflict:NA
-Reference:https://github.com/paramiko/paramiko/commit/4c491e299c9b800358b16fa4886d8d94f45abe2e
-
----
- paramiko/pkey.py        | 12 ++++++++-
- sites/www/changelog.rst | 14 ++++++++++
- tests/test_pkey.py      | 58 ++++++++++++++++++++++++++++++++++++++++-
- 3 files changed, 82 insertions(+), 2 deletions(-)
-
-diff --git a/paramiko/pkey.py b/paramiko/pkey.py
-index 5bdfb1d..40afe19 100644
---- a/paramiko/pkey.py
-+++ b/paramiko/pkey.py
-@@ -551,7 +551,17 @@ class PKey(object):
- 
-         :raises: ``IOError`` -- if there was an error writing the file.
-         """
--        with open(filename, "w") as f:
-+        # Ensure that we create new key files directly with a user-only mode,
-+        # instead of opening, writing, then chmodding, which leaves us open to
-+        # CVE-2022-24302.
-+        # NOTE: O_TRUNC is a noop on new files, and O_CREAT is a noop on
-+        # existing files, so using all 3 in both cases is fine. Ditto the use
-+        # of the 'mode' argument; it should be safe to give even for existing
-+        # files (though it will not act like a chmod in that case).
-+        kwargs = dict(flags=os.O_WRONLY | os.O_TRUNC | os.O_CREAT, mode=o600)
-+        # NOTE: yea, you still gotta inform the FLO that it is in "write" mode
-+        with os.fdopen(os.open(filename, **kwargs), mode="w") as f:
-+            # TODO 3.0: remove the now redundant chmod
-             os.chmod(filename, o600)
-             self._write_private_key(f, key, format, password=password)
- 
-diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
-index c423f5a..5867999 100644
---- a/sites/www/changelog.rst
-+++ b/sites/www/changelog.rst
-@@ -2,6 +2,20 @@
- Changelog
- =========
- 
-+- :bug:`-` (`CVE-2022-24302
-+  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302>`_) Creation
-+  of new private key files using `~paramiko.pkey.PKey` subclasses was subject
-+  to a race condition between file creation & mode modification, which could be
-+  exploited by an attacker with knowledge of where the Paramiko-using code
-+  would write out such files.
-+
-+  This has been patched by using `os.open` and `os.fdopen` to ensure new files
-+  are opened with the correct mode immediately. We've left the subsequent
-+  explicit ``chmod`` in place to minimize any possible disruption, though it
-+  may get removed in future backwards-incompatible updates.
-+
-+  Thanks to Jan Schejbal for the report & feedback on the solution, and to
-+  Jeremy Katz at Tidelift for coordinating the disclosure.
- - :release:`2.8.1 <2021-11-28>`
- - :bug:`985` (via :issue:`992`) Fix listdir failure when server uses a locale.
-   Now on Python 2.7 `SFTPAttributes <paramiko.sftp_attr.SFTPAttributes>` will
-diff --git a/tests/test_pkey.py b/tests/test_pkey.py
-index 94b2492..4223544 100644
---- a/tests/test_pkey.py
-+++ b/tests/test_pkey.py
-@@ -23,6 +23,7 @@ Some unit tests for public/private key objects.
- 
- import unittest
- import os
-+import stat
- from binascii import hexlify
- from hashlib import md5
- 
-@@ -36,10 +37,11 @@ from paramiko import (
-     SSHException,
- )
- from paramiko.py3compat import StringIO, byte_chr, b, bytes, PY2
-+from paramiko.common import o600
- 
- from cryptography.exceptions import UnsupportedAlgorithm
- from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateNumbers
--from mock import patch
-+from mock import patch, Mock
- import pytest
- 
- from .util import _support, is_low_entropy
-@@ -686,3 +688,57 @@ class KeyTest(unittest.TestCase):
-             key1.load_certificate,
-             _support("test_rsa.key-cert.pub"),
-         )
-+
-+    @patch("paramiko.pkey.os")
-+    def _test_keyfile_race(self, os_, exists):
-+        # Re: CVE-2022-24302
-+        password = "television"
-+        newpassword = "radio"
-+        source = _support("test_ecdsa_384.key")
-+        new = source + ".new"
-+        # Mock setup
-+        os_.path.exists.return_value = exists
-+        # Attach os flag values to mock
-+        for attr, value in vars(os).items():
-+            if attr.startswith("O_"):
-+                setattr(os_, attr, value)
-+        # Load fixture key
-+        key = ECDSAKey(filename=source, password=password)
-+        key._write_private_key = Mock()
-+        # Write out in new location
-+        key.write_private_key_file(new, password=newpassword)
-+        # Expected open via os module
-+        os_.open.assert_called_once_with(new, flags=os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode=o600)
-+        os_.fdopen.assert_called_once_with(os_.open.return_value, mode="w")
-+        # Old chmod still around for backwards compat
-+        os_.chmod.assert_called_once_with(new, o600)
-+        assert (
-+            key._write_private_key.call_args[0][0]
-+            == os_.fdopen.return_value.__enter__.return_value
-+        )
-+
-+    def test_new_keyfiles_avoid_file_descriptor_race_on_chmod(self):
-+        self._test_keyfile_race(exists=False)
-+
-+    def test_existing_keyfiles_still_work_ok(self):
-+        self._test_keyfile_race(exists=True)
-+
-+    def test_new_keyfiles_avoid_descriptor_race_integration(self):
-+        # Integration-style version of above
-+        password = "television"
-+        newpassword = "radio"
-+        source = _support("test_ecdsa_384.key")
-+        new = source + ".new"
-+        # Load fixture key
-+        key = ECDSAKey(filename=source, password=password)
-+        try:
-+            # Write out in new location
-+            key.write_private_key_file(new, password=newpassword)
-+            # Test mode
-+            assert stat.S_IMODE(os.stat(new).st_mode) == o600
-+            # Prove can open with new password
-+            reloaded = ECDSAKey(filename=new, password=newpassword)
-+            assert reloaded == key
-+        finally:
-+            if os.path.exists(new):
-+                os.unlink(new)
--- 
-2.27.0
-

backport-Use-args-not-kwargs-to-retain-py2-compat-for-now.patch

@@ -1,72 +0,0 @@
-From 76b781754bfefe21706762442c422bac523701e4 Mon Sep 17 00:00:00 2001
-From: Jeff Forcier <jeff@bitprophet.org>
-Date: Mon, 14 Mar 2022 19:21:01 -0400
-Subject: [PATCH] Use args, not kwargs, to retain py2 compat for now
-
-This patch is the rear patch of CVE-2022-24302
-
-Conflict:NA
-Reference:https://github.com/paramiko/paramiko/commit/76b781754bfefe21706762442c422bac523701e4
-
----
- paramiko/pkey.py        | 5 +++--
- sites/www/changelog.rst | 8 ++++++++
- tests/test_pkey.py      | 6 ++++--
- 3 files changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/paramiko/pkey.py b/paramiko/pkey.py
-index 40afe19..c9fc60b 100644
---- a/paramiko/pkey.py
-+++ b/paramiko/pkey.py
-@@ -558,9 +558,10 @@ class PKey(object):
-         # existing files, so using all 3 in both cases is fine. Ditto the use
-         # of the 'mode' argument; it should be safe to give even for existing
-         # files (though it will not act like a chmod in that case).
--        kwargs = dict(flags=os.O_WRONLY | os.O_TRUNC | os.O_CREAT, mode=o600)
-+        # TODO 3.0: turn into kwargs again
-+        args = [os.O_WRONLY | os.O_TRUNC | os.O_CREAT, o600]
-         # NOTE: yea, you still gotta inform the FLO that it is in "write" mode
--        with os.fdopen(os.open(filename, **kwargs), mode="w") as f:
-+        with os.fdopen(os.open(filename, *args), "w") as f:
-             # TODO 3.0: remove the now redundant chmod
-             os.chmod(filename, o600)
-             self._write_private_key(f, key, format, password=password)
-diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
-index 5867999..a71212d 100644
---- a/sites/www/changelog.rst
-+++ b/sites/www/changelog.rst
-@@ -2,6 +2,14 @@
- Changelog
- =========
- 
-+- :bug:`2001` Fix Python 2 compatibility breakage introduced in 2.10.1. Spotted
-+  by Christian Hammond.
-+
-+  .. warning::
-+      This is almost certainly the last time we will fix Python 2 related
-+      errors! Please see `the roadmap
-+      <https://bitprophet.org/projects/#roadmap>`_.
-+
- - :bug:`-` (`CVE-2022-24302
-   <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302>`_) Creation
-   of new private key files using `~paramiko.pkey.PKey` subclasses was subject
-diff --git a/tests/test_pkey.py b/tests/test_pkey.py
-index 4223544..59c2001 100644
---- a/tests/test_pkey.py
-+++ b/tests/test_pkey.py
-@@ -708,8 +708,10 @@ class KeyTest(unittest.TestCase):
-         # Write out in new location
-         key.write_private_key_file(new, password=newpassword)
-         # Expected open via os module
--        os_.open.assert_called_once_with(new, flags=os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode=o600)
--        os_.fdopen.assert_called_once_with(os_.open.return_value, mode="w")
-+        os_.open.assert_called_once_with(
-+            new, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, o600
-+        )
-+        os_.fdopen.assert_called_once_with(os_.open.return_value, "w")
-         # Old chmod still around for backwards compat
-         os_.chmod.assert_called_once_with(new, o600)
-         assert (
--- 
-2.27.0
-

python-paramiko.spec

@@ -1,17 +1,15 @@
 Name:          python-paramiko
-Version:       2.8.1
-Release:       3
+Version:       2.11.0
+Release:       1
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz
 
-Patch0:        paramiko-2.7.2-drop-pytest-relaxed.patch
 # Skip tests requiring invoke if it's not installed
 # Can be removed when https://github.com/paramiko/paramiko/pull/1667/ is released
 Patch6000:      backport-Skip-tests-requiring-invoke.patch
-Patch6001:      backport-CVE-2022-24302.patch
-Patch6002:      backport-Use-args-not-kwargs-to-retain-py2-compat-for-now.patch
+Patch6001:	0003-remove-pytest-relaxed-dep.patch
 
 BuildArch:     noarch
 
@@ -71,6 +69,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/ NEWS README.rst
 
 %changelog
+* Thu Jun 23 2022 houyingchao <houyingchao@h-partners.com> - 2.11.0-1
+- Upgrade to version 2.11.0
+
 * Mon Mar 28 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2.8.1-3
 - fix CVE-2022-24302 and the rear patch of CVE-2022-24302